At 11:25 PM -0800 2/1/06, Douglas Campbell wrote:
All,
I mentioned previously that my domain name has been hijacked by
spammers for use in falsified return paths. As a result, I am
receiving approximately 500 bounce e-mails per day from spammed
servers. I've noticed something quite interesting about the most
recent batch of bounces -- the message id of the bounced spam
attachment starts with what appears to be an ESC 20 (or, more
exactly, text looking like <R[20), with the rest of the headers and
body suppressed.
I'm wondering what the spammers are up to with this -- the bounce
e-mail contains virtually NO information to allow me to backtrace.
Any ideas?
These have been flowing for years, and there has been some debate
over exactly what is going on, but it is either a software bug in a
piece of spamware that uses compromised machines, a common spammer's
misconfiguration of such a tool, or (dubious) the effect of some
security device between the sending zombie and the receiving MTA.
The appearance you describe is a bit misleading. The fingerprint of
this flavor of runt spam is:
1. Very short message data: rarely more than 3 lines, sometimes just one.
2. If there is any formal body, it looks like a detached header,
usually a malformed Message-ID.
3. Often there is one (clearly fake) Received header.
4. Rarely, there is a Date header.
5. The trailing end of the last line (usually a detached Message-ID
'header') is '[' followed by one or two digits, with the Message-ID
subspecies always ending with '[20' preceded by '<' and one capital
letter.
I would bet that if you look closely at the mail you describe, you
will notice that the Message-ID 'header' is detached, and that if it
has a Received header unassociated with the machine bouncing the
mail, that header is not actually credible, and maybe not even
complete.
--
Bill Cole
bill(_at_)scconsult(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg